Can the files be split into chunks so that you only have to encrypt the
sensitive section of the file (like encrypting connection strings within
a config file).
Do you want to lock this data from the client? If so you have the
trouble that you can't trust the OS as the client could find a way to
gain admin rights on the PC if they want to, then they can view/do
anything they like.
The one trouble you have with the setup is if you want to encrypt this
data so the customers can't see it, there is no way to 100% stop them.
This is the same trouble they have with media, they want to encrypt it,
but the user's machine needs to be able to decrypt it. In the end you
are simply giving them the data encrypted with the key to decrypt it,
not much you can do to stop that.
If it's just the user's you're worried about then the only reliable way
I can think of them not being able to access the data is if the app was
split into two sections.
The first section would be the app that the user uses, this contains
none of the secure code and runs with minimal access rights.
The second section runs with elevated access rights as a service. This
service will have read access to the protected files (this can be setup
using ntfs permissions).
Now the user land side of the app cannot access the secure files, but
the service app can. Thus the user land app needs to send requests to
the service to have it process what ever needs this secure data. The
service can then return the results back (but not the contents of the
secure files).
This is making the process more complex however, so you'll have to
evaluate what part of the system it is you don't trust and is the effort
required to fix it worth what it is you're protecting. Such as above
where if the people you don't trust to gain access to this information
can remove the hdd, etc. then there isn't much you can do to stop them
accessing the information if they really want to (and have the machine
accessible anonymously).
